White House, tech titans reach agreement on surveillance disclosures

Companies can give numbers of FISA, NSL requests—but have to count by thousands.

The Obama administration has reached an agreement with a group of technology companies on disclosing requests for customer data in the cloud. But the agreement severely limits what the companies are able to disclose, and it fails to provide assurances that there won't be further broad requests for data.

The companies—including Facebook, Apple, Google, Microsoft, and Yahoo—will now be allowed to publish information about the number of Foreign Intelligence Surveillance Court orders they receive for customer data. They will also be able to reveal more about National Security Letters (NSLs), the secrecy of which was weakened by the USA Patriot Improvement and Reauthorization Act in 2006. Unlike Foreign Intelligence Surveillance Act (FISA) warrants, NSLs can only request metadata such as phone numbers dialed or e-mail addresses communicated with.

Since NSA leaker Edward Snowden revealed the PRISM program, which gives the NSA and the FBI access to the data of cloud providers' customers under a sweeping FISA warrant, technology companies have pressed the government for permission to share more information about disclosures in an attempt to reassure customers about their privacy. But the new agreement may not do much to soothe customers’ concerns, as it will still not allow the companies to reveal information about requests about specific customers. They’ll only be able to vaguely disclose government requests in increments of 250 or provide more specific information about the types of requests in increments of 1,000.

In other words, in theory, if Google got 150 FISA orders and 200 National Security Letters, the company could reveal that it had received “over 250” requests from the government. Or the company could optionally say it had received “under 1,000” FISA orders and “under 1,000” NSLs.

The agreement led Microsoft, Google, LinkedIn, Facebook and Yahoo to drop their lawsuits against the government over disclosure rights. “We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive," the companies said in a joint statement. "We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."

Promoted Comments

While we at EFF welcome this small crack in the wall of secrecy that surrounds the Foreign Intelligence Surveillance Court and everything it does, it is only a first step. Yesterday's deal does not allow the companies to disclose anything more than a vague numeric range to quantify those demands. And unlike bills such as the USA FREEDOM Act, or the companies' FISC suit, yesterday's deal won't allow the companies to disclose which legal authorities the government is using (215, 702, etc.) in the FISC. Weneed that information especially, since we're currently trying to reform those very laws.

We were especially disappointed that the technology companies abandoned their fight in FISC just at the point when public opinion is so clearly in favor of transparency. No statute supports the government's new requirements (the 2-year gap for startups, the ranges of 1000, nothing). The companies had the law on their side and we believed they were going to win.

True transparency--as well as the First Amendment--requires that companies be allowed to map the scope of the United States government's surveillance apparatus. There is no national security justification for requiring that only vague numeric ranges, rather than exact numbers, be disclosed. And there is no possible justification for forcing the companies to stay silent about which laws the government purports to rely on.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.